Running legacy operating systems in the public sector proved to be a big issue during the recent ransomware attacks across the United Kingdom.
The government needs to set aside specific funding for cybersecurity of critical services. With everything they are dealing with on the terrorism front, security services can't be expected to prioritise protecting their internal systems over and above protecting the public.
Organisations still running these legacy operating systems, that can't be patched, need to put in place additional controls.
At a minimum, they need to monitor these systems closely. They need to look at who has access to them and look for changes in behaviour. These systems are often the initial compromise point, so it's critical that any unusual activity is caught early.
England's second biggest police force has revealed that more than one in five of its computers were still running Windows XP as of July. Greater Manchester Police told the BBC that 1,518 of its PCs ran the ageing operating system, representing 20.3% of all the office computers it used. Microsoft ended nearly all support for the operating system in 2014. Experts say its use could pose a hacking risk. The figure was disclosed as part of a wider Freedom of Information request. "Even if security vulnerabilities are identified in XP, Microsoft won't distribute patches in the same way it does for later releases of Windows," said Dr Steven Murdoch, a cyber-security expert at University College London.